直 Japanese PDF Font
  • Our Professionals
  • Our Work
  • Our Insights
  • Offices
  • Firm
  • Careers
Finnegan
  • Articles & Books
    • Ad Law Buzz Blog
    • At the PTAB Blog
    • European IP Blog
    • Federal Circuit IP Blog
    • INCONTESTABLE® Blog
    • Prosecution First Blog
  • Events & Webinars
  • IP Updates
  • Podcasts
    • AI + Finnegan
    • AI + Copyright
    • AI + Patent
    • AI + Privacy
    • AI + Trade Secrets
    • AI + Trademark
  • Unified Patent Court (UPC) Hub

Article

Broadening the Scope of Private Claims Under the CCPA

July 16, 2025

By Hira Javed; Lynn Parker Dupree


  1. Broader Scope of CCPA Claims: Recent California court decisions have expanded the scope of privacy actions under the CCPA to include claims for unauthorized disclosure of personal information without permission, even if a data breach did not occur.

  2. Examples of Court Rulings: In cases like Shah v. Capital One and M.G. v. Therapymatch, courts allowed CCPA claims to proceed based on allegations of unauthorized disclosures through tracking tools, highlighting that a specific data breach is not necessary to maintain such claims.

  3. Implications for Businesses: Companies must maintain robust security measures and transparent privacy policies, especially regarding third-party tracking tools, to mitigate risks of potential CCPA violations and litigation.

California courts have seemingly broadened the scope of privacy actions brought under the data breach section of the California Consumer Privacy Act (CCPA). While actions for violations of other provisions of the CCPA may be brought by the California Privacy Protection Agency, individuals may file suit for personal information data breaches.[1]  Specifically, “any consumer whose nonencrypted and nonredacted personal information, . . . or whose email address in combination with a password or security question and answer that would permit access to the account is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information . . . may institute a civil action . . . .”[2]

While practitioners understood this provision to be specifically related to data breaches, some California courts have begun to allow claims under this provision to survive preliminary motions, even where the facts alleged do not include breach specifically, and instead assert the claim based on the disclosure of personal information without consent due to the business’s failure to maintain reasonable security practices.[3] For example, in a March 2025 ruling on a motion to dismiss in Shah v. Capital One, the Northern District of California granted-in-part and denied-in-part Capital One’s motion to dismiss, particularly finding that the plaintiffs had stated a claim with respect to allegations under the CCPA despite not alleging a data breach.[4]

In this instance, the Plaintiffs in this class action asserted 17 causes of action based on allegations that the financial institution unlawfully disclosed their personal information, financial information, and communications to third parties through tracking software embedded on the Capital One website.[5] The Court found that because these trackers were used and transmitted Plaintiffs’ personal and financial information, the plaintiffs did not need to allege a data breach to maintain the CCPA claim.[6]

Previous California decisions have held similarly. In another Northern District decision, M.G. v. Therapymatch, the court held that a CCPA claim could survive a motion to dismiss where the  plaintiffs alleged disclosure of personal information, including confidential medical and health insurance information via online tracking tools.[7] In Ramos v. Wells Fargo Bank, N.A., a Southern District court held that the plaintiff was not required to plead that there was a data breach and found the plaintiff’s CCPA claim sufficient to file a motion to dismiss because the plaintiff alleged that unknown individuals accessed information regarding his savings account due to the bank’s failure to  implement and maintain reasonable security procedures.[8]

These decisions indicate a changing landscape in privacy litigation under the CCPA. Companies should take extra care to ensure they understand the data collected and shared with third-party tracking tools on their websites, obtain consent when required, and work to ensure that their privacy policies are up-to-date and can account for any transmission of personal or sensitive information.  

Endnotes

[1] Cal. Civ. Code §§ 1798.150, 1798.199.10.

[2] Id. § 1798.150(a)(1).

[3] Shah v. Capital One, 768 F.Supp.3d 1033, 1048-49 (N.D.Cal. 2025).

[4] See id. at 1048-49, 1053-56.

[5] See id. at 1042-43, 1048-49.

[6] See id.

[7] 23-cv-04422-AMO, 2024 WL 4219992, at *7 (N.D. Cal. Sept. 16, 2024).

[8] 23-cv-0757-L-BGS, 2023 WL 5310540, at *2 (S.D. Cal. Aug. 17, 2023).

Tags

California Consumer Privacy Act (CCPA)

Related Practices

Diligence, Licensing, and Opinions

Privacy

Related Offices

Washington, DC

Related Professionals

Lynn Parker Dupree
Partner
Washington, DC
+1 202 408 4462
Email

Copyright © Finnegan, Henderson, Farabow, Garrett & Dunner, LLP. This article is for informational purposes, is not intended to constitute legal advice, and may be considered advertising under applicable state laws. This article is only the opinion of the authors and is not attributable to Finnegan, Henderson, Farabow, Garrett & Dunner, LLP, or the firm’s clients.

Related Insights

Conference

IAM Live: Navigating the UPC 2026

November 3, 2026

Paris

Webinar

Successful Strategies to Win Alice Motions and Fee Awards in Patent Cases Against Non-Practicing Entities

July 22, 2026

Webinar

Webinar

Early Motions in Trade Secret Litigation – Offensive and Defensive Insights

July 15, 2026

Webinar

Lecture

IPIC/McGill Summer IP Course 2026: Understanding Trademarks

July 14, 2026

Montreal

Federal Circuit IP Blog

Federal Circuit Vacates and Remands Infringement and Damages Judgment After Erroneous Verdict Form and Eligibility Analysis

July 8, 2026

Federal Circuit IP Blog

“2” Does Not Provide Written Description Support for “1”: Federal Circuit Affirms District Court’s Invalidation of Patent

July 8, 2026

Webinar

Inventive Step in Europe and the US: Comparing the UPC, EPO and National Approaches

July 8, 2026

Webinar

Articles

EPR Academy, Part 4 of 6: Choosing Between EPR, IPR, PGR, and Reissue

July 1, 2026

Articles

Article_D.-Mass-Patent-Litigation-Update-October-2024

D. Mass. Patent Litigation Update: May 2026

June 30, 2026

Due to international data regulations, we’ve updated our privacy policy. Click here to read our privacy policy in full.

  • Privacy
  • Disclaimer
  • Legal Notices
  • Fraud Alert
  • EEO Statement
  • Cookies
  • Contact Us

© 2026 Finnegan, Henderson, Farabow, Garrett & Dunner, LLP